Channels

Services

RTSP vulnerability hits MPlayer and VLC [Update]

A vulnerability in the xine-lib multimedia library that was fixed last week also affects MPlayer and the VLC media player. Attackers can exploit bugs in the real time data stream processing routines to inject malicious code using crafted RTSP data streams.

The sdpplin_parse() function in the stream/realrtsp/sdpplin.c file of MPlayer, or modules/access/rtsp/real_sdpplin.c file of VLC media player fails to check the length of the streamid SDP parameter in a real time protocol data stream (RTSP), resulting in a potential buffer overflow. Using this, attackers can overwrite arbitrary memory areas using crafted data streams and execute injected code such as trojans.

Security service provider Secunia has also reported another vulnerability in VLC that allows attackers to inject malicious code while MP4 files are being parsed.

Neither VLC media player nor MPlayer have yet been updated to fix the bugs. xine-lib also still contains unfixed security vulnerabilities which can be exploited by attackers to inject malicious code using crafted files. At present all the major open source media players are affected by critical security vulnerabilities. MPlayer users should steer clear of untrusted FLAC and MOV files, VLC users should avoid untrusted subtitle files and both groups should avoid untrusted real time data streams. Users of xine-lib based media players such as Kaffeine, Totem or Xine should avoid MP4, MOV, Real and Matroska files until updated versions are available. A demo exploit for the MPlayer and VLC security vulnerabilities has already been published on milw0rm.